malwarewikiaorg-20200223-history
Whale
For its time, Whale was the largest DOS virus ever discovered, weighing in at 9,216 bytes. Behavior When a file infected with Whale is executed, the virus is installed to memory. While the virus is 9,216 bytes in a file, it is 9,984 bytes in memory. The virus behaves differently at different times, sometimes infecting only infecting when that uninfected .com or .exe file is executed, or infecting when the file is even read. It appends its 9,216 bytes to the end of the file. There are even times when the virus may disinfect a file when it is copied. It may sometimes appear to simulate rebooting the system. When it does this, the virus will disable the break key, so the user will not be able to stop the execution of the AUTOEXEC.BAT file. This ensures that any file executed by AUTOEXEC.BAT will be infected. Files infected in this way are usually, but not always, the 9,216 byte kind that show the original file length when the "DIR" command is given. The virus may also sometimes create a file at the root of the C: drive named FISH-#9.TBL. It may sometimes randomly remove this file and even recreate it. This file contains an image of the hard disk's partition table as well as the following text: "Fish Virus #9 A Whale is no Fish! Mind her Mutant Fish and the hidden Fish Eggs for they are damaging. The sixth Fish mutates only if the Whale is in her Cave." There have been no successful tests of the claim contained in this file. Whale may display the following message: THE WHALE IN SEARCH OF THE 8 FISH I AM '~knzyvo}' IN HAMBURG addr error D9EB,02 There will also be the text "Z THE WHALE" in memory, but this will not be displayed on the screen. The infection length is usually 9,216 bytes. If the file is infected with the virus and the infection is this length, the virus will hide the increase in length when the user runs the "DIR" command. Sometimes the virus will produce a mutation which may have a different infection length. In this case DIR wil show the actual infected length or it may show the actual infected length minus 9,216 bytes. Running the CHKDSK program will report file allocation errors. Running CHKDSK /F will cause damage to some files. Whale will also alter the date/time of the infected file. It may do this improperly, making the program inaccessable to some disk utility programs. If the user attempts to use a debugger, the virus blocks the keyboard and stops running. While the virus is in memory, it causes many problems for the system. The system slows down and the screen may flicker. Writes to the screen may be noticably delayed to the point where programs may appear to hang, then execute properly. Name/Origin Whale gets its name from the text contained in the virus. Other names used for the virus are Fish, Mother Fish and Fish 9. While its origin is not 100% certain, the text also suggests that it comes from Hamburg, Germany. Some sources report the name of this virus's creator as "R. Horner", but no sources can be found that can verify the name, except for a Wikipedia entry, whose only source does not mention R. Horner. "knzyvo" is the only name on the virus and the only other information it gives for the whereabouts of the creator is that he is likely from Hamburg. This virus was officially Whale was originally posted to an American BBS with a description from the poster. The description did not completely accurately describe the virus, leading some antivirus researchers to suspect that the poster either did not really know the virus that well, or was deliberately trying to throw off researchers. Media Sources 40Hex Volume 1 Issue 2, The Whale Virus. VIRUS-L Digest, Volume 3 : Issue 158. 1990.09.18 Jim Bates. Reports collected and collated by PC-Virus Index, The Virus Information Service, Whale Virus aka Mother Fish & Fish #9. 1990.10 Frederic Raynal. Security Focus, Malicious cryptography, part one. 2006.05.08 Category:Virus Category:DOS Category:DOS virus Category:Encrypted virus Category:Polymorphic virus Category:Armored virus Category:Stealth virus